Merge pull request 'Poetry update' (#7 ) from poetry-update-2.3.3 into main

Reviewed-on: #7
Version bump
2026-04-03 07:24:44 +00:00 · 2026-04-03 08:21:12 +01:00 · 2026-04-03 08:19:40 +01:00 · 2026-04-03 08:16:56 +01:00 · 2026-04-03 08:14:37 +01:00 · 2026-03-25 16:31:27 +00:00
6 changed files with 219 additions and 79 deletions
@@ -0,0 +1,188 @@
 name: Security Scan
 on:
  schedule:
    - cron: 27 8 * * *
  workflow_dispatch:
 jobs:
  security-scan:
    runs-on: running-man
    env:
      TARGET_DIR: .
      COSIGN_VERSION: v3.0.5
      SYFT_VERSION: v1.42.3
      GRYPE_VERSION: v0.110.0
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Install Cosign (bootstrap)
        run: |
          set -euo pipefail
          FILE="cosign-linux-amd64"
          curl -fLO https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${FILE}
          chmod +x ${FILE}
          mv ${FILE} /usr/local/bin/cosign
          cosign version
      - name: Install Syft (verified)
        run: |
          set -euo pipefail
          VERSION_NO_V="${SYFT_VERSION#v}"
          FILE="syft_${VERSION_NO_V}_linux_amd64.tar.gz"
          BASE_URL="https://github.com/anchore/syft/releases/download/${SYFT_VERSION}"
          curl -fLO ${BASE_URL}/${FILE}
          curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt
          curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt.sig
          curl -fLO ${BASE_URL}/syft_${VERSION_NO_V}_checksums.txt.pem
          cosign verify-blob \
            --signature syft_${VERSION_NO_V}_checksums.txt.sig \
            --certificate syft_${VERSION_NO_V}_checksums.txt.pem \
            --certificate-identity-regexp "https://github.com/anchore/syft" \
            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
            syft_${VERSION_NO_V}_checksums.txt
          CHECKSUM_LINE=$(grep " ${FILE}$" syft_${VERSION_NO_V}_checksums.txt)
          if [ -z "$CHECKSUM_LINE" ]; then
            echo "Missing checksum entry for ${FILE}"
            exit 1
          fi
          echo "$CHECKSUM_LINE" | sha256sum -c -
          tar -xzf ${FILE}
          mv syft /usr/local/bin/
          syft version
      - name: Install Grype (verified)
        run: |
          set -euo pipefail
          VERSION_NO_V="${GRYPE_VERSION#v}"
          FILE="grype_${VERSION_NO_V}_linux_amd64.tar.gz"
          BASE_URL="https://github.com/anchore/grype/releases/download/${GRYPE_VERSION}"
          curl -fLO ${BASE_URL}/${FILE}
          curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt
          curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt.sig
          curl -fLO ${BASE_URL}/grype_${VERSION_NO_V}_checksums.txt.pem
          cosign verify-blob \
            --signature grype_${VERSION_NO_V}_checksums.txt.sig \
            --certificate grype_${VERSION_NO_V}_checksums.txt.pem \
            --certificate-identity-regexp "https://github.com/anchore/grype" \
            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
            grype_${VERSION_NO_V}_checksums.txt
          CHECKSUM_LINE=$(grep " ${FILE}$" grype_${VERSION_NO_V}_checksums.txt)
          if [ -z "$CHECKSUM_LINE" ]; then
            echo "Missing checksum entry for ${FILE}"
            exit 1
          fi
          echo "$CHECKSUM_LINE" | sha256sum -c -
          tar -xzf ${FILE}
          mv grype /usr/local/bin/
          grype version
      - name: Generate SBOM
        working-directory: ${{ env.TARGET_DIR }}
        run: |
          syft dir:. -o json > sbom.json
      - name: Show SBOM contents
        working-directory: ${{ env.TARGET_DIR }}
        run: |
          echo "Packages discovered by Syft:"
          jq -r '.artifacts[] | "\(.name)@\(.version) [\(.type)]"' sbom.json | sort
      - name: Run Grype scan (JSON)
        id: audit
        continue-on-error: true
        working-directory: ${{ env.TARGET_DIR }}
        run: |
          grype sbom:sbom.json -o json > grype.json
          echo "Vulnerabilities (fixable only):"
          jq -r '
            .matches[]
            | select((.vulnerability.fix.versions | length) > 0)
            | "\(.artifact.name)@\(.artifact.version) -> \(.vulnerability.id) [\(.vulnerability.severity)] | fixed: \(.vulnerability.fix.versions[0])"
          ' grype.json
          # Fail only on fixable MEDIUM/HIGH/CRITICAL
          jq -e '
            [
              .matches[]?
              | select(
                  (
                    .vulnerability.severity == "Medium" or
                    .vulnerability.severity == "High" or
                    .vulnerability.severity == "Critical"
                  )
                  and
                  (
                    (.vulnerability.fix.versions | length) > 0
                  )
                )
            ]
            | length == 0
          ' grype.json
      - name: Show full Grype table
        working-directory: ${{ env.TARGET_DIR }}
        run: |
          echo "Full Grype report:"
          grype sbom:sbom.json -o table
      - name: Notify Node-RED on vulnerabilities
        if: steps.audit.outcome == 'failure'
        working-directory: ${{ env.TARGET_DIR }}
        run: |
          jq '
          {
            repo: "guardutils/chguard",
            summary: (
              "Total: " +
              (
                [
                  .matches[]
                  | select((.vulnerability.fix.versions | length) > 0)
                ] | length | tostring
              )
            ),
            vulnerabilities: [
              .matches[]
              | select((.vulnerability.fix.versions | length) > 0)
              | {
                library: .artifact.name,
                cve: .vulnerability.id,
                severity: .vulnerability.severity,
                installed: .artifact.version,
                fixed: (.vulnerability.fix.versions[0]),
                title: .vulnerability.description,
                url: .vulnerability.dataSource
              }
            ]
          }
          ' grype.json \
          | curl -s -X POST https://nodered.sysmd.uk/vulns-alert \
              -H "Content-Type: application/json" \
              --data-binary @-
      - name: Fail workflow if vulnerabilities found
        if: steps.audit.outcome == 'failure'
        run: exit 1
@@ -1,61 +0,0 @@
 ---
 name: Trivy Scan
 on:
  schedule:
    - cron: 17 8 * * *
  workflow_dispatch:
 jobs:
  security-scan:
    runs-on: running-man
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Trivy scan via Docker
        id: trivy
        continue-on-error: true
        run: |
          docker run --rm \
            --volumes-from "$HOSTNAME" \
            aquasec/trivy:latest \
            fs /workspace/guardutils/chguard \
              --scanners vuln \
              --pkg-types library \
              --include-dev-deps \
              --severity MEDIUM,HIGH,CRITICAL \
              --ignore-unfixed \
              --format json \
              --output /workspace/guardutils/chguard/trivy.json \
              --exit-code 1
      - name: Notify Node-RED on vulnerabilities
        if: steps.trivy.outcome == 'failure'
        run: |
          jq -r '
          {
            repo: "guardutils/chguard",
            summary: (
              "Total: " +
              ((.Results[].Vulnerabilities | length) | tostring)
            ),
            vulnerabilities: [
              .Results[].Vulnerabilities[] | {
                library: .PkgName,
                cve: .VulnerabilityID,
                severity: .Severity,
                installed: .InstalledVersion,
                fixed: .FixedVersion,
                title: .Title,
                url: .PrimaryURL
              }
            ]
          }
          ' trivy.json \
          | curl -s -X POST https://nodered.sysmd.uk/trivy-alert \
              -H "Content-Type: application/json" \
              --data-binary @-
      - name: Fail workflow if vulnerabilities found
        if: steps.trivy.outcome == 'failure'
        run: exit 1
@@ -1,19 +1,19 @@
 repos:
  - repo: https://github.com/PyCQA/bandit
-    rev: 1.7.9
+    rev: 1.9.4
    hooks:
      - id: bandit
        files: ^src/mirro/
        args: ["-lll", "-iii", "-s", "B110,B112"]
  - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: 25.11.0
+    rev: 26.3.1
    hooks:
      - id: black
        language_version: python3.13
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v6.0.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
@@ -6,7 +6,6 @@ from datetime import datetime, timezone
 from pathlib import Path
 from platformdirs import user_data_dir
 APP_NAME = "chguard"
@@ -24,8 +23,7 @@ def connect(db_path: Path | None = None) -> sqlite3.Connection:
 def init_db(conn: sqlite3.Connection) -> None:
-    conn.executescript(
+    conn.executescript("""
        """
        CREATE TABLE IF NOT EXISTS states (
            id INTEGER PRIMARY KEY,
            name TEXT UNIQUE NOT NULL,
@@ -46,8 +44,7 @@ def init_db(conn: sqlite3.Connection) -> None:
        );
        CREATE INDEX IF NOT EXISTS idx_entries_state_id ON entries(state_id);
-        """
+        """)
    )
    conn.commit()
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.4 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.3.3 and should not be changed by hand.
 [[package]]
 name = "argcomplete"
@@ -6,6 +6,7 @@ version = "3.6.3"
 description = "Bash tab completion for argparse"
 optional = false
 python-versions = ">=3.8"
 groups = ["main"]
 files = [
    {file = "argcomplete-3.6.3-py3-none-any.whl", hash = "sha256:f5007b3a600ccac5d25bbce33089211dfd49eab4a7718da3f10e3082525a92ce"},
    {file = "argcomplete-3.6.3.tar.gz", hash = "sha256:62e8ed4fd6a45864acc8235409461b72c9a28ee785a2011cc5eb78318786c89c"},
@@ -20,6 +21,7 @@ version = "3.5.0"
 description = "Validate configuration and produce human readable error messages."
 optional = false
 python-versions = ">=3.10"
 groups = ["dev"]
 files = [
    {file = "cfgv-3.5.0-py2.py3-none-any.whl", hash = "sha256:a8dc6b26ad22ff227d2634a65cb388215ce6cc96bbcc5cfde7641ae87e8dacc0"},
    {file = "cfgv-3.5.0.tar.gz", hash = "sha256:d5b1034354820651caa73ede66a6294d6e95c1b00acc5e9b098e917404669132"},
@@ -31,6 +33,7 @@ version = "0.4.0"
 description = "Distribution utilities"
 optional = false
 python-versions = "*"
 groups = ["dev"]
 files = [
    {file = "distlib-0.4.0-py2.py3-none-any.whl", hash = "sha256:9659f7d87e46584a30b5780e43ac7a2143098441670ff0a49d5f9034c54a6c16"},
    {file = "distlib-0.4.0.tar.gz", hash = "sha256:feec40075be03a04501a973d81f633735b4b69f98b05450592310c0f401a4e0d"},
@@ -42,6 +45,7 @@ version = "3.20.3"
 description = "A platform independent file lock."
 optional = false
 python-versions = ">=3.10"
 groups = ["main", "dev"]
 files = [
    {file = "filelock-3.20.3-py3-none-any.whl", hash = "sha256:4b0dda527ee31078689fc205ec4f1c1bf7d56cf88b6dc9426c4f230e46c2dce1"},
    {file = "filelock-3.20.3.tar.gz", hash = "sha256:18c57ee915c7ec61cff0ecf7f0f869936c7c30191bb0cf406f1341778d0834e1"},
@@ -53,6 +57,7 @@ version = "2.6.15"
 description = "File identification library for Python"
 optional = false
 python-versions = ">=3.9"
 groups = ["dev"]
 files = [
    {file = "identify-2.6.15-py2.py3-none-any.whl", hash = "sha256:1181ef7608e00704db228516541eb83a88a9f94433a8c80bb9b5bd54b1d81757"},
    {file = "identify-2.6.15.tar.gz", hash = "sha256:e4f4864b96c6557ef2a1e1c951771838f4edc9df3a72ec7118b338801b11c7bf"},
@@ -67,6 +72,7 @@ version = "4.0.0"
 description = "Python port of markdown-it. Markdown parsing, done right!"
 optional = false
 python-versions = ">=3.10"
 groups = ["main"]
 files = [
    {file = "markdown_it_py-4.0.0-py3-none-any.whl", hash = "sha256:87327c59b172c5011896038353a81343b6754500a08cd7a4973bb48c6d578147"},
    {file = "markdown_it_py-4.0.0.tar.gz", hash = "sha256:cb0a2b4aa34f932c007117b194e945bd74e0ec24133ceb5bac59009cda1cb9f3"},
@@ -90,6 +96,7 @@ version = "0.1.2"
 description = "Markdown URL utilities"
 optional = false
 python-versions = ">=3.7"
 groups = ["main"]
 files = [
    {file = "mdurl-0.1.2-py3-none-any.whl", hash = "sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8"},
    {file = "mdurl-0.1.2.tar.gz", hash = "sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba"},
@@ -101,6 +108,7 @@ version = "1.10.0"
 description = "Node.js virtual environment builder"
 optional = false
 python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7"
 groups = ["dev"]
 files = [
    {file = "nodeenv-1.10.0-py2.py3-none-any.whl", hash = "sha256:5bb13e3eed2923615535339b3c620e76779af4cb4c6a90deccc9e36b274d3827"},
    {file = "nodeenv-1.10.0.tar.gz", hash = "sha256:996c191ad80897d076bdfba80a41994c2b47c68e224c542b48feba42ba00f8bb"},
@@ -112,6 +120,7 @@ version = "4.5.1"
 description = "A small Python package for determining appropriate platform-specific dirs, e.g. a `user data dir`."
 optional = false
 python-versions = ">=3.10"
 groups = ["main", "dev"]
 files = [
    {file = "platformdirs-4.5.1-py3-none-any.whl", hash = "sha256:d03afa3963c806a9bed9d5125c8f4cb2fdaf74a55ab60e5d59b3fde758104d31"},
    {file = "platformdirs-4.5.1.tar.gz", hash = "sha256:61d5cdcc6065745cdd94f0f878977f8de9437be93de97c1c12f853c9c0cdcbda"},
@@ -128,6 +137,7 @@ version = "3.8.0"
 description = "A framework for managing and maintaining multi-language pre-commit hooks."
 optional = false
 python-versions = ">=3.9"
 groups = ["dev"]
 files = [
    {file = "pre_commit-3.8.0-py2.py3-none-any.whl", hash = "sha256:9a90a53bf82fdd8778d58085faf8d83df56e40dfe18f45b19446e26bf1b3a63f"},
    {file = "pre_commit-3.8.0.tar.gz", hash = "sha256:8bb6494d4a20423842e198980c9ecf9f96607a07ea29549e180eef9ae80fe7af"},
@@ -142,13 +152,14 @@ virtualenv = ">=20.10.0"
 [[package]]
 name = "pygments"
-version = "2.19.2"
+version = "2.20.0"
 description = "Pygments is a syntax highlighting package written in Python."
 optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.9"
 groups = ["main"]
 files = [
-    {file = "pygments-2.19.2-py3-none-any.whl", hash = "sha256:86540386c03d588bb81d44bc3928634ff26449851e99741617ecb9037ee5ec0b"},
+    {file = "pygments-2.20.0-py3-none-any.whl", hash = "sha256:81a9e26dd42fd28a23a2d169d86d7ac03b46e2f8b59ed4698fb4785f946d0176"},
-    {file = "pygments-2.19.2.tar.gz", hash = "sha256:636cb2477cec7f8952536970bc533bc43743542f70392ae026374600add5b887"},
+    {file = "pygments-2.20.0.tar.gz", hash = "sha256:6757cd03768053ff99f3039c1a36d6c0aa0b263438fcab17520b30a303a82b5f"},
 ]
 [package.extras]
@@ -160,6 +171,7 @@ version = "6.0.3"
 description = "YAML parser and emitter for Python"
 optional = false
 python-versions = ">=3.8"
 groups = ["dev"]
 files = [
    {file = "PyYAML-6.0.3-cp38-cp38-macosx_10_13_x86_64.whl", hash = "sha256:c2514fceb77bc5e7a2f7adfaa1feb2fb311607c9cb518dbc378688ec73d8292f"},
    {file = "PyYAML-6.0.3-cp38-cp38-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9c57bb8c96f6d1808c030b1687b9b5fb476abaa47f0db9c0101f5e9f394e97f4"},
@@ -242,6 +254,7 @@ version = "14.2.0"
 description = "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal"
 optional = false
 python-versions = ">=3.8.0"
 groups = ["main"]
 files = [
    {file = "rich-14.2.0-py3-none-any.whl", hash = "sha256:76bc51fe2e57d2b1be1f96c524b890b816e334ab4c1e45888799bfaab0021edd"},
    {file = "rich-14.2.0.tar.gz", hash = "sha256:73ff50c7c0c1c77c8243079283f4edb376f0f6442433aecb8ce7e6d0b92d1fe4"},
@@ -260,6 +273,8 @@ version = "4.15.0"
 description = "Backported and Experimental Type Hints for Python 3.9+"
 optional = false
 python-versions = ">=3.9"
 groups = ["dev"]
 markers = "python_version == \"3.10\""
 files = [
    {file = "typing_extensions-4.15.0-py3-none-any.whl", hash = "sha256:f0fa19c6845758ab08074a0cfa8b7aecb71c999ca73d62883bc25cc018c4e548"},
    {file = "typing_extensions-4.15.0.tar.gz", hash = "sha256:0cea48d173cc12fa28ecabc3b837ea3cf6f38c6d1136f85cbaaf598984861466"},
@@ -271,6 +286,7 @@ version = "20.36.1"
 description = "Virtual Python Environment builder"
 optional = false
 python-versions = ">=3.8"
 groups = ["dev"]
 files = [
    {file = "virtualenv-20.36.1-py3-none-any.whl", hash = "sha256:575a8d6b124ef88f6f51d56d656132389f961062a9177016a50e4f507bbcc19f"},
    {file = "virtualenv-20.36.1.tar.gz", hash = "sha256:8befb5c81842c641f8ee658481e42641c68b5eab3521d8e092d18320902466ba"},
@@ -284,9 +300,9 @@ typing-extensions = {version = ">=4.13.2", markers = "python_version < \"3.11\""
 [package.extras]
 docs = ["furo (>=2023.7.26)", "proselint (>=0.13)", "sphinx (>=7.1.2,!=7.3)", "sphinx-argparse (>=0.4)", "sphinxcontrib-towncrier (>=0.2.1a0)", "towncrier (>=23.6)"]
-test = ["covdefaults (>=2.3)", "coverage (>=7.2.7)", "coverage-enable-subprocess (>=1)", "flaky (>=3.7)", "packaging (>=23.1)", "pytest (>=7.4)", "pytest-env (>=0.8.2)", "pytest-freezer (>=0.4.8)", "pytest-mock (>=3.11.1)", "pytest-randomly (>=3.12)", "pytest-timeout (>=2.1)", "setuptools (>=68)", "time-machine (>=2.10)"]
+test = ["covdefaults (>=2.3)", "coverage (>=7.2.7)", "coverage-enable-subprocess (>=1)", "flaky (>=3.7)", "packaging (>=23.1)", "pytest (>=7.4)", "pytest-env (>=0.8.2)", "pytest-freezer (>=0.4.8) ; platform_python_implementation == \"PyPy\" or platform_python_implementation == \"GraalVM\" or platform_python_implementation == \"CPython\" and sys_platform == \"win32\" and python_version >= \"3.13\"", "pytest-mock (>=3.11.1)", "pytest-randomly (>=3.12)", "pytest-timeout (>=2.1)", "setuptools (>=68)", "time-machine (>=2.10) ; platform_python_implementation == \"CPython\""]
 [metadata]
-lock-version = "2.0"
+lock-version = "2.1"
 python-versions = ">=3.10,<4.0"
-content-hash = "8cfa38f4e2f17dba430ea08f7be3c91890a0c7a4535b69d9565b84d714f589bc"
+content-hash = "c1c99dd4ff6557dd08b58f3a8c50b893e68acabcb8b08a48ca78f7319a361635"
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "chguard"
-version = "0.3.3"
+version = "0.3.4"
 description = "Safety-first tool to snapshot and restore filesystem ownership and permissions."
 authors = ["Marco D'Aleo <marco@marcodaleo.com>"]
 license = "GPL-3.0-or-later"
@@ -18,7 +18,7 @@ filelock = ">=3.15.4"
 [tool.poetry.scripts]
 chguard = "chguard.cli:main"
-[tool.poetry.dev-dependencies]
+[tool.poetry.group.dev.dependencies]
 pre-commit = "^3.8"
 [tool.black]
Author	SHA1	Message	Date
mdaleo404	88b2dfd1a5	Merge pull request 'Poetry update' (#7 ) from poetry-update-2.3.3 into main Security Scan / security-scan (push) Successful in 1m20s Details Reviewed-on: #7	2026-04-03 07:24:44 +00:00
mdaleo404	ee80306d9a	Version bump Lint & Security / precommit-and-security (pull_request) Successful in 1m2s Details	2026-04-03 08:21:12 +01:00
mdaleo404	cc97d3d7f1	Update Pygments Lint & Security / precommit-and-security (pull_request) Successful in 1m1s Details	2026-04-03 08:19:40 +01:00
mdaleo404	9bf5ef1d7d	Black formatting Lint & Security / precommit-and-security (pull_request) Failing after 1m1s Details	2026-04-03 08:16:56 +01:00
mdaleo404	24696af083	Poetry update Lint & Security / precommit-and-security (pull_request) Failing after 44s Details	2026-04-03 08:14:37 +01:00
mdaleo404	fcef549eba	Exclude unfixed vulnerabilities from security workflow results Security Scan / security-scan (push) Successful in 1m17s Details	2026-03-25 16:31:27 +00:00
mdaleo404	049273a13c	Switch Trivy scan to Syft and Grype	2026-03-25 16:10:01 +00:00
mdaleo404	d00407bb33	Disable trivy scan workflow	2026-03-23 08:02:12 +00:00
mdaleo404	a8dbe675f5	Update pre-commit hooks version Trivy Scan / security-scan (push) Successful in 27s Details	2026-03-21 07:25:11 +00:00
mdaleo404	cc2b1fe791	Ping Trivy docker image to 0.69.3@sha256:bcc376de8d77cfe086a917230e818dc9f8528e3c852f7b1aff648949b6258d1c	2026-03-21 07:05:33 +00:00